Federal agencies will play a larger role in ensuring the nation’s most critical assets are secure from cyber intrusions, under a White House executive order released last week.
The Commerce Department’s National Institute of Standards and Technology, Department of Homeland Security and the Treasury Department are among the agencies that will decide which critical infrastructures — such as electric grid and water treatment operations — are most at risk of cyber attacks. They will work with industry to develop voluntary security standards for those companies and ensure companies get more useful and timely information about cyber threats.
The executive order can’t create new authorities, but it directs agencies with current regulatory authority, such as the Agriculture Department and Health and Human Services, to consider making new voluntary standards mandatory for the industries they regulate.
Industry experts question whether agencies have the manpower, expertise and financial resources to take on these additional tasks.
With steep budget cuts, whether through sequestration or other means, and with the possibility of furloughs and layoffs, “it isn’t clear to many of us how those [executive order] requirements will be resourced,” said Bob Dix, vice president of government affairs and critical infrastructure protection at Juniper Networks. Dix also serves as chairman of the Partnership for Critical Infrastructure Security, which coordinates security efforts in the private sector.
Industry will create the voluntary security standards for critical infrastructure companies, as called for in the executive order, with oversight from NIST, according to administration officials. NIST will publish a draft cybersecurity framework by October that includes those standards, and work with DHS to publish a final version of the framework within a year. What role government will play in measuring whether companies voluntarily meet the standards is unclear, but the president will be notified of which companies participate in the voluntary program.
Officials from the White House, the Commerce, Homeland Security and Justice departments, and U.S. Cyber Command last week emphasized a “whole of government approach,” as the only solution to the growing cyber threat. The officials urged that the executive order be viewed as only a first step in the effort to defend U.S. critical infrastructure.
“This executive order is really just a down payment,” Michael Daniel, White House cybersecurity coordinator, said at a news conference. “It’s a down payment on legislation because, while there is a lot that we can and will do under this executive order, … we still ultimately need legislation to deal with many of the critical aspects of cybersecurity.”
The message of teamwork among agencies and branches of government was joined by calls for cooperation from industry. Industry’s fears that voluntary standards could turn into requirements torpedoed last year’s cybersecurity legislation sponsored by then-Sen. Joseph Leiberman, I-Conn., and Sen. Susan Collins, R-Maine.
But the executive order does lay the groundwork for what could become mandatory standards for currently regulated industries, such as the chemical and nuclear sectors, and for companies seeking to do business with the government.
By June, the Defense Department and General Services Administration will recommend the feasibility and benefits of incorporating security standards into federal contracts and acquisition planning, and determine whether those standards are consistent with existing procurement requirements.
“We’ve recognized that there very may well be a different obligation imposed on government contractors than might be imposed on other parts of the critical infrastructure,” said Alan Chvotkin, executive vice president and counsel for the Professional Services Council.
Chvotkin welcomed an open process for deciding whether to make security standards mandatory for contractors. He said security standards currently are oftentimes not required, especially if a company isn’t handling protected government data.
The Nuclear Regulatory Commission’s regulatory powers expanded to include cybersecurity following the Sept. 11 terrorist attacks. NRC proposed a rule for cybersecurity in 2006 and published a final rule in March 2009.
“It takes time to put an infrastructure in place,” said Craig Erlanger, who oversees NRC’s Cyber Security and Integrated Response Branch. Erlanger said it took time to develop the internal expertise and build the budget to support NRC’s cybersecurity regulatory work.
“It’s hard to understand over the next year that it’s going to morph into a framework and all the pieces of the puzzle fit together,” Bill Gross, senior project manager for security at the Nuclear Energy Institute, said of the executive order. NEI is a think tank sponsored by the nuclear industry.
Gross said he hopes the executive order won’t complicate the work nuclear plants are doing to secure their assets or strain relationships with NRC.
The executive order directs regulatory agencies, including NRC and DHS, to assess whether their current cybersecurity regulations are sufficient.
“If the existing regulations are ineffective or insufficient, agencies will propose new, cost-effective regulations based upon the cybersecurity framework and in consultation with their regulated companies,” the White House said.
For agencies such as the Environmental Protection Agency and Agriculture Department, which have limited authority to implement cybersecurity regulations, the executive order directs them to determine if they have enough authority to enforce cybersecurity standards, said Caitlin Hayden, spokeswoman for the White House’s National Security Council. Agencies will make that determination after the standards are published next February.
Agencies that have authority to regulate private-sector cybersecurity will work with DHS to develop their cybersecurity workforces and programs.
However, many agencies, including DHS, are struggling to attract and retain cybersecurity talent. Much of the department’s cybersecurity workforce comprises contractors, and carrying out the order will require even more reliance on contractor expertise.
Under the executive order, DHS will expand its use of programs that bring in industry experts on a temporary basis.
Zachary Fryer-Biggs contributed to this report.